CVE-2008-7091

Pligg CMS 9.9.0 - Remote Code Execution

Severity Score

7.5

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple SQL injection vulnerabilities in Pligg 9.9 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to vote.php, which is not properly handled in libs/link.php; (2) id parameter to trackback.php; (3) an unspecified parameter to submit.php; (4) requestTitle variable in a query to story.php; (5) requestID and (6) requestTitle variables in recommend.php; (7) categoryID parameter to cloud.php; (8) title parameter to out.php; (9) username parameter to login.php; (10) id parameter to cvote.php; and (11) commentid parameter to edit.php.

Múltiples vulnerabilidades de inyección SQL en Pligg v9.9 y anteriores, permite a atacantes remotos ejecutar comandos SQL de su elección a través de el (1)parámetro id a vote.php, que no está manejado adecuadamente en libs/link.php; de los parámetros (2) id ao trackback.php; (3) un parámetro no especificado a submit.php; (4) la variable requestTitle en una consulta a story.php; las variables (5) requestID y (6) requestTitle en recommend.php; los parámetros(7) categoryID a cloud.php; (8) title a out.php; (9) username a login.php; (10) id a cvote.php y(11) commentid a edit.php.

*Credits: N/A

CVSS Scores

NISTv2 7.5

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2008-07-30 First Exploit
2009-08-26 CVE Reserved
2009-08-26 CVE Published
2024-08-02 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (16)

URL	Tag	Source
http://www.osvdb.org/50189	Vdb Entry
http://www.osvdb.org/50190	Vdb Entry
http://www.osvdb.org/50191	Vdb Entry
http://www.osvdb.org/50192	Vdb Entry
http://www.osvdb.org/50193	Vdb Entry
http://www.osvdb.org/50194	Vdb Entry
http://www.osvdb.org/50195	Vdb Entry
http://www.osvdb.org/50196	Vdb Entry
http://www.osvdb.org/50197	Vdb Entry
http://www.osvdb.org/50198	Vdb Entry
http://www.securityfocus.com/archive/1/494987/100/0/threaded	Mailing List
https://exchange.xforce.ibmcloud.com/vulnerabilities/44193	Vdb Entry

URL	Date	SRC
https://www.exploit-db.com/exploits/6172	2008-07-30
https://www.exploit-db.com/exploits/6173	2024-08-07
http://www.gulftech.org/?node=research&article_id=00120-07312008	2024-08-07
http://www.securityfocus.com/bid/30458	2024-08-07

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pligg Search vendor "Pligg"		Pligg Cms Search vendor "Pligg" for product "Pligg Cms"				<= 9.9.0 Search vendor "Pligg" for product "Pligg Cms" and version " <= 9.9.0"		-		Affected
Pligg Search vendor "Pligg"		Pligg Cms Search vendor "Pligg" for product "Pligg Cms"				9.5 Search vendor "Pligg" for product "Pligg Cms" and version "9.5"		-		Affected
Pligg Search vendor "Pligg"		Pligg Cms Search vendor "Pligg" for product "Pligg Cms"				9.9.0 Search vendor "Pligg" for product "Pligg Cms" and version "9.9.0"		beta		Affected